I'm trying to implement the validation from this link.
I don't want the OAuth part of this, but to use the Public key and the headers to verify the data. I've seen many posts related to SendGrid's Event Webhook, but nothing to verify it.
This is what I've attempted, but something is clearly wrong. I'm really not sure how to translate the code from the documentation to C#. I'm not sure where each piece of data from the Request should go. Does anyone have any insight on this?
public async Task<IHttpActionResult> EventsHook()
{
IEnumerable<string> signatureFromHeader = Request.Headers.GetValues("X-Twilio-Email-Event-Webhook-Signature");
byte[] timeStampBytes = Encoding.ASCII.GetBytes(Request.Headers.GetValues("X-Twilio-Email-Event-Webhook-Timestamp").First());
byte[] body = await Request.Content.ReadAsByteArrayAsync();
byte[] payloadHash = timeStampBytes.Concat(body).ToArray();
byte[] signatureByteArray = Convert.FromBase64String(signatureFromHeader.First());
var publicKey = "{myPublicKey}";
byte[] publicKeyBytes = Convert.FromBase64String(publicKey);
var ecdsaParams = new ECParameters
{
D = publicKeyBytes
};
using (var ecdsa = ECDsa.Create(ecdsaParams))
{
if (ecdsa.VerifyData(payloadHash, signatureByteArray, HashAlgorithmName.SHA256))
{
return Ok();
}
return StatusCode(System.Net.HttpStatusCode.Forbidden);
}
}
I just implemented this, and I can help you with this:
1- I used the library starkbank-ecdsa to verify the signature. 2- I declared this interface
public interface IEmailWebHookRequestValidator
{
bool IsValidRequest(HttpRequest request);
}
3- the implementation of this interface is this:
public class SendGridWebHookRequestValidator : IEmailWebHookRequestValidator
{
private const string SIGNATURE_HEADER = "X-Twilio-Email-Event-Webhook-Signature";
private const string TIMESTAMP_HEADER = "X-Twilio-Email-Event-Webhook-Timestamp";
private readonly string _sendGridWebHookPublicKey;
public SendGridWebHookRequestValidator(ISettingsProvider settingsProvider)
{
_sendGridWebHookPublicKey = settingsProvider.SendGridWebHookPublicKey //"public key that you can get from SendGrid website when you enable Event Webhook's signature";
}
public bool IsValidRequest(HttpRequest request)
{
request.Headers.TryGetValue(SIGNATURE_HEADER, out var signatureHeaderValues);
request.Headers.TryGetValue(TIMESTAMP_HEADER, out var timestampHeaderValues);
var signature = signatureHeaderValues.FirstOrDefault();
var timestamp = timestampHeaderValues.FirstOrDefault();
if (string.IsNullOrWhiteSpace(signature) || string.IsNullOrWhiteSpace(timestamp))
{
return false;
}
var body = ReadStream(request.Body);
return VerifySignature(_sendGridWebHookPublicKey, body, signature, timestamp);
}
public bool VerifySignature(string verificationKey, string payload, string signature, string timestamp)
{
var publicKey = PublicKey.fromPem(verificationKey);
var timestampedPayload = timestamp + payload;
var decodedSignature = Signature.fromBase64(signature);
return Ecdsa.verify(timestampedPayload, decodedSignature, publicKey);
}
public static string ReadStream(Stream stream)
{
using var ms = new MemoryStream();
stream.CopyTo(ms);
return Encoding.UTF8.GetString(ms.GetBuffer(), 0, (int)ms.Length);
}
}
ISettingsProvider is just an interface that helps you to retrieve the public key from the settings.
The above code can be easily used when your webhook receives the httprequest by just passing it to the IsValidRequest method.